Opened 5 years ago

Last modified 5 years ago

#11 reopened defect

VHost/IP-Mismatch may allow for access to unintended VHosts

Reported by: https://id.mayfirst.org/dkg Owned by: https://id.mayfirst.org/dkg
Priority: major Component: code
Version: 5.10 Keywords: test-needed
Cc:

Description

imported from mantis:

Due to a problem with the way VHost configurations are matched to the connection it is possible that on a configuration with multiple IPs (e.g. IPv4/IPv6 or multiple IPv4) an attacker could issue a request on one IP address of the server which requests a VHost that should only be available on a different (possibly private) IP address.

Additional Information

  1. Create two VHosts on different IPs.
    • VHost A on IP1
    • VHost B on IP2
  1. Open a connection to IP1 requesting a domain only available on IP2 (e.g. B)
Expected
Default Fallback VHost of IP1
Actual
Some random matching VHost configuration for the domain even if mismatching the IP.

Note that in order to get a configuration of the wrong IP it's enough to have a VHost for Domain A on IP2 as well as IP1 (e.g. the IPv4/IPv6 Dual Stack case). That's also how I noticed this misbehaviour.

Change History (2)

comment:1 Changed 5 years ago by https://id.mayfirst.org/dkg

  • Resolution set to fixed
  • Status changed from new to closed

benbe said:

If my tests where correct (OpenSSL s_client didn't like IPv6 and GnuTLS-cli didn't like being told the exact SNI header to send ...) I couldn't convince mod_gnutls to send VHosts differing from those configured on the webserver for the IP I was connecting to. Due to the various bugs in OpenSSL s_client and gnutls-cli I couldn't verify this holds true for the Host header sent when the TLS session is established though. But given the VHost selection with Wildcard Aliasing being fixed too this issue should not be exploitable anymore.

dash said:

According to BenBE [reporter] this seems not exploitable in /trunk.

comment:2 Changed 5 years ago by https://id.mayfirst.org/dkg

  • Keywords test-needed added
  • Resolution fixed deleted
  • Status changed from closed to reopened

I'd like to see a test written for this, though.

Note: See TracTickets for help on using tickets.